From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Florian Westphal <fw@strlen.de>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH nf 1/2] netfilter: ctnetlink: fix refcount leak on table dump
Date: Thu, 7 Aug 2025 12:57:24 +0200 [thread overview]
Message-ID: <aJSGlBD36tgRNWpT@calendula> (raw)
In-Reply-To: <20250801152515.20172-2-fw@strlen.de>
Hi Florian,
On Fri, Aug 01, 2025 at 05:25:08PM +0200, Florian Westphal wrote:
> There is a reference count leak in ctnetlink_dump_table():
> if (res < 0) {
> nf_conntrack_get(&ct->ct_general); // HERE
> cb->args[1] = (unsigned long)ct;
> ...
goto out;
>
> While its very unlikely, its possible that ct == last.
out:
...
if (last) {
/* nf ct hash resize happened, now clear the leftover. */
if ((struct nf_conn *)cb->args[1] == last) {
cb->args[1] = 0;
}
nf_ct_put(last);
}
I think problem was introduced here:
fefa92679dbe ("netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize")
> If this happens, then the refcount of ct was already incremented.
> This 2nd increment is never undone.
>
> This prevents the conntrack object from being released, which in turn
> keeps prevents cnet->count from dropping back to 0.
>
> This will then block the netns dismantle (or conntrack rmmod) as
> nf_conntrack_cleanup_net_list() will wait forever.
>
> This can be reproduced by running conntrack_resize.sh selftest in a loop.
> It takes ~20 minutes for me on a preemptible kernel on average before
> I see a runaway kworker spinning in nf_conntrack_cleanup_net_list.
>
> One fix would to change this to:
> if (res < 0) {
> if (ct != last)
> nf_conntrack_get(&ct->ct_general);
>
> But this reference counting isn't needed in the first place.
> We can just store a cookie value instead.
cookie is indeed safer approach.
IIRC, the concern is that cookie could result in providing a bogus
conntrack listing due to object recycling, which is more likely to
happen with SLAB_TYPESAFE_BY_RCU.
nf_ct_get_id() is adding using a random seed to generate the conntrack
id:
u32 nf_ct_get_id(const struct nf_conn *ct)
{
static siphash_aligned_key_t ct_id_seed;
unsigned long a, b, c, d;
net_get_random_once(&ct_id_seed, sizeof(ct_id_seed));
Then, it should be very unlikely that such recycling that leads to
picking up from the wrong conntrack object because two conntrack
objects in the same memory spot will have different id.
next prev parent reply other threads:[~2025-08-07 10:57 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-08-01 15:25 [PATCH nf 0/2] netfilter: ctnetlink: fix memory leak in ctnetlink dump Florian Westphal
2025-08-01 15:25 ` [PATCH nf 1/2] netfilter: ctnetlink: fix refcount leak on table dump Florian Westphal
2025-08-07 10:57 ` Pablo Neira Ayuso [this message]
2025-08-07 11:29 ` Florian Westphal
2025-08-01 15:25 ` [PATCH nf 2/2] netfilter: ctnetlink: remove refcounting in expectation dumpers Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=aJSGlBD36tgRNWpT@calendula \
--to=pablo@netfilter.org \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.